cerberust 0.1.1

Fast Rust guardrails for LLM input/output — composable scanners (PII, secrets, prompt-injection) and streaming middleware.
Documentation
name: Release

# Publish to crates.io on a version tag. The release runs from a clean checkout,
# so local untracked artifacts (scratch dirs, worktrees) can never enter the
# packaged crate — only the git-tracked tree is published.
on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: read

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: -D warnings

jobs:
  publish:
    name: publish to crates.io
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable
      # No build cache on the publish path: a poisoned cache could tamper with
      # the released artifact. Releases are infrequent — build from clean.
      - name: Verify tag matches crate version
        run: |
          tag="${GITHUB_REF_NAME#v}"
          crate="$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[0].version')"
          if [ "$tag" != "$crate" ]; then
            echo "::error::tag ${GITHUB_REF_NAME} does not match Cargo.toml version ${crate}"
            exit 1
          fi
      - name: cargo test
        run: cargo test
      - name: cargo publish
        run: cargo publish
        env:
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}